PreCom Hit by Play Ransomware: Major Operational Disruptions
Incident Date:
August 26, 2024
Overview
Title
PreCom Hit by Play Ransomware: Major Operational Disruptions
Victim
Precom
Attacker
Play
Location
First Reported
August 26, 2024
Ransomware Attack on PreCom by Play Ransomware Group
On August 27, PreCom, a communications infrastructure company based in Boise, Idaho, discovered it had fallen victim to a ransomware attack orchestrated by the Play ransomware group. This incident has caused significant operational disruptions, and the extent of the data leak remains unknown as the company works diligently to assess the full impact and restore its services.
About PreCom
PreCom, established in 1993, specializes in providing comprehensive technology solutions throughout the Mountain West region. With over 80 years of combined experience in communications cabling, the company focuses on delivering high-quality services to both public and private sector organizations. Their offerings include structured cabling, fiber optic cabling, security systems, and various networking solutions designed to enhance connectivity and safety for their clients. PreCom's client-centered approach ensures that each project is tailored to meet specific needs while adhering to budgetary constraints. The company has earned a strong reputation in the Treasure Valley for exceptional customer service and ethical business practices.
Attack Overview
The ransomware attack on PreCom has disrupted its operations significantly. The company, known for its precision and attention to detail in managing complex and large-scale projects, such as the installation of security camera systems at the Boise Airport and access control systems for various facilities, is now grappling with the aftermath of this cyber incident. The attack has highlighted vulnerabilities in PreCom's cybersecurity measures, making it a target for sophisticated threat actors like the Play ransomware group.
About Play Ransomware Group
The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has been responsible for numerous high-profile attacks. Initially focusing on Latin America, the group has expanded its operations to North America, South America, and Europe. Play ransomware targets a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group distinguishes itself by using various methods to gain entry into networks, such as exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. They employ tools like Mimikatz for privilege escalation and custom tools to enumerate users and computers on compromised networks.
Penetration Methods
Play ransomware uses a combination of sophisticated techniques to penetrate company systems. They exploit vulnerabilities in RDP servers and FortiOS, use valid accounts, and leverage Microsoft Exchange vulnerabilities. Once inside, they execute their code using scheduled tasks and PsExec, maintain persistence through scheduled tasks, and escalate privileges using tools like Mimikatz. The group also employs tools to disable antimalware and monitoring solutions, making it challenging for companies to detect and mitigate the attack promptly.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.